Q&A with Joshua Konvisser of Pillsbury Winthrop Shaw Pittman
The BYOD trend and enterprise mobility in general are raising legal issues regarding employee privacy and data security that enterprises will need to address to avoid lawsuits and regulatory fines.
To address these legal issues, enterprises need to institute strong privacy and data security guarantees in their BYOD policies and back up these policies with technology, such as mobile device management (MDM) and containerization products.
To explore the legal issues raised by BYOD and enterprise mobility, FierceMobileIT sat down with Joshua Konvisser, a partner in the law firm of Pillsbury Winthrop Shaw Pittman. Konvisser represents clients in complex technology transactions. He explains how BYOD can be a legal balancing act between employee privacy, corporate interests and interests of the data owners.
FierceMobileIT: What are some of the privacy issues raised by BYOD?
Konvisser: BYOD is the balancing between employee privacy, protection of corporate interests and the interests of the data owner--should there be customer data on the device. There was actually an interesting article I was looking at not that long ago about the Veteran Administration, which has a BYOD initiative. They are getting gummed up on the fact that there is a lot of PHI [protected health information] that could be on the system, especially as they move into medical electronic records. So not only do you worry about the employee's privacy and the company's confidential information, but you also have to worry about the patient information that may resign on a personal-liable device.
It is really balancing all of those interests in a way that keeps everybody compliant. But I think the end result is likely to be that the employee is going to lose out. The law protects the employee's privacy, but that is something that is being contracted out through the BYOD policy. Otherwise, you have a conflict that is really hard to bridge. You can use technical things like MDM [mobile device management] to try and manage the risk. If somebody wants to seize the device, there is an exposure risk to employee privacy that only gets solved by the employee giving up some rights.
FierceMobileIT: Would that be through an end user licensing agreement that the employee would have to sign?
Konvisser: Typically, BYOD is subject to a policy. It is not a licensing agreement as much as a policy that can be implemented as a condition of my employment. I need to affirm that I am compliant with all of the HR [human resources] policies, one of which would be the BYOD policy. The way the company can up the ante is to say, 'You want me to reimburse you for the data service on your device; the quid pro quo is that you're going to agree to certain policies.' That becomes more challenging in a company that isn't reimbursing data service. There are different methodologies for this. One is, use your own device, and we're going to reimburse you. Another is, use my device. Yet another is, use your device but we are not reimbursing you. For example, in my law firm it is assumed that I have a cell phone, and the firm will pay the data portion. So when I sign up for the data portion, there is a policy that I need to accept that has certain provisions, such as I recognize that they can grab my device if they need to.
If I am advising a company that is starting up a BYOD policy, I say that from a legal perspective, if you want to have the best argument in terms of defeating the privacy interest, the best thing you can do is have someone sign an agreement. Then, there is no argument that this was an unreasonable condition. Whereas, if I just thought it was the employee policy, it becomes easier for the employee to say well, I didn't know and how was I supposed to know. It depends to some extent on state law. Some states will be very protective of employee rights, so those arguments can have credence. If I am advising the company, the advice is go as far as you can, subject to not wanting to antagonize the employees….Right now, my sense is--and this is not based on any real numbers--is that the tide is in favor of the company because employees want BYOD, so there is a willingness on the part of employee to sign a piece of paper because that's how they want to work. That is playing to the company's advantage because the company can then get the BYOD policy in place that they want.
FierceMobileIT: In your analysis of a recent court case in the Northern District of Ohio (Lazette v. Kulmatycki), you argued that the court was twisting various laws to try to get an employee privacy right. Does every state have a law that protects employee privacy or does that vary from state to state?
Konvisser: The problem in that case was that they didn't. If you ask a privacy person if there are state laws on privacy, the answer is, Yes, there are 48 states that have privacy laws. But what those privacy laws really cover are improper disclosures to the public of private information held by somebody. So that is not really what happened in this case. What happened here was somebody got access to information that they didn't rightly have and took advantage of it. The reason the court was twisting and turning is because the court read the facts and they said this is wrong, it feels really bad. But none of the federal or state laws about privacy squarely touched this issue. One of the things is an interesting lesson for the starting lawyer is, judges are people too. So judges have an innate sense of fairness about what is right and wrong, but their job is to interpret the law. So that is when you get into a situation where the court had to figure out how to get the law to apply to get the right result. I'm not saying that they misconstrued the law. I'm not saying that that they twisted the facts, but what I am saying is that the laws really didn't hit this issue squarely so it wasn't us slam dunk to say, 'Yes, we all feel it's wrong and here is the law that says it's wrong. Instead, they said we all know it's wrong and we have to use this patchwork of laws that have grown up in different areas to cover this issue, which has no law on it yet.
FierceMobileIT: How does BYOD affect data breaches? Does it increase the risk? Could companies face fines?
Konvisser: Let's say that I have an iPhone sitting on the desk in front of me. Let's say the iPhone has a complete sync with my contacts in Outlook. I have a lot of personal information on my iPhone, and I can use it to link into my corporate directory and find cellphone numbers for some of my colleagues. So now I have a device that goes around the world that somebody could easily get their hands on. It's just more distributed information. It's not that the device is fundamentally bad, it just it enables further distribution of sources of information. I can get a spreadsheet emailed to me that has whatever private information I get in connection with my business and it's on my iPhone. If you don't have good MDM on your phone, the way the iPhone works is you can just switch email accounts and move it to my personal email account and send it around the world and the corporation doesn't have controls. With the right type of MDM, you can protect against that. But the device naked allows that kind of behavior. It isn't inherently a privacy breach, but what it does is it makes it easier just by the mass distribution for privacy breaches to happen. The best way to deal with that is to train your employees on the risks and how to manage them.
FierceMobileIT: Are there any intellectual property issues related to BYOD?
Konvisser: Yes, absolutely. If you think about it, there is an IP and employment issue that is the same. When I'm doing work on a corporate device, it is pretty much assumed that it is the corporate intellectual property. So as an employee of a company, that which I develop is owned by the company--if I develop it for the company using company resources. Now let's say I come up with a brilliant idea, and I do it on my tablet, which is a personal-liable tablet. Who owned that? If I am an hourly worker, there is an interesting question: If I'm doing work outside of the work hours, which becomes an overtime issue. If I'm developing brilliant ideas as a full-time salaried employee, there is no distinction in my life between what I am working and when I'm not working. Suddenly, my brilliant side project--is that owned by the company? That's an untested question, but it is a question. It blurs the lines.
FierceMobileIT: Is there anything that the company can do to make sure that it retains intellectual property?
Konvisser: In your policy, you would say that any corporate work that you do becomes corporate, but it is really hard to write that without being overbroad. Unless you say we own everything, then it gets messy. That said, companies have been dealing with this issue for a long time. A company that does a lot of intellectual property work usually has an employment agreement that says, 'We own everything you think of, we own your brain.' Those are crafted very differently based on state law. For example, my brother lives in California and he works for a cellphone company. He asked me to take a look at the employment agreement that they put in front of them. It read very differently than a New York agreement because the laws in California are much more restrictive on what the company can require of its employee than they are in New York. California is a more employee friendly jurisdiction. It is state dependent, but by contract you can allocate intellectual property in an employment agreement when they sign up to get onto the BYOD policy.
FierceMobileIT: Are there any other legal issues that come to mind regarding BYOD?
Konvisser: Typically, the employee has an expectation of privacy, so the BYOD policy needs to override that expectation. We talked about the third-party information. In my example, I talked about protected health information. If it's a financial services entity or any financial information, you also have Gramm-Leach-Bliley that might protect the privacy of the information.
There are also export control issues. So if I have some software that is subject to export controls on my phone and I take the phone into another country, that is a potential risk if you are in a sensitive area. You could need to get a license to take your phone into another country, depending on the country. One thing that people worry about a lot, and this is something that people worried about with laptops and is really not a corporate versus personal-liable issue, but it is an issue and mobile, is getting stop at customs where you basically have no rights and they can insist that they take your device, look at it and suddenly private information has been exposed to the customs officers. That is an issue that people are living with now, but it has expanded by the growth in mobile.
One of the important ones that we touched on, but I'd like to touch on again, is the overtime issue because that is one where people have gotten tripped up when you have hourly employees. If you have hourly employees working on a BYOD device, you need to include in your policy restrictions that they not use the device for corporate purposes outside of business hours because, otherwise, you are going to end up owing overtime back pay.
In the securities industry, you have that two-week mandatory leave. In certain regulated parts of the securities industry, there is a mandatory two-week period where people are not supposed to work. The theory behind it is so that you can audit and make sure they are not doing any insider trading or other bad activity. You are not supposed to be on email or other work activity. If your corporate and personal devices are mingled, you need to think long and hard about how you are doing to manage that piece of the process. Using some of the technologies can help you do that. It is something you need to think about if you are in that industry…
FierceMobileIT: What are some of the special legal issues that BYOD poses for regulated industries such as healthcare and financial?
Konvisser: The biggest issues are the privacy issues, but the privacy issues are just exacerbated by the specific laws that cover protection of the information that will undoubtedly end up on these phones or tablets. We talked about policies as the way the employer manages this. The trick is that you not only have to have a policy in place but you also have to have a policy that's enforceable. To have a policy in place and then blatantly ignore it is probably worse than having no policy. You can really get yourself in hot water that way. What it is saying to all of the regulators who might care is, 'Yes, I understand that there is an issue and I didn't do anything about it. We said that you need to draft your policy to allow you to do all these things, that needs to be tempered with, 'I don't want the policy to say something that I can't enforce because otherwise I look even worse if there is a problem that happens. If the policy says, If you do any of these things, we are doing to cut you off and take your phone, but you know that you are not actually going to be able to do that, don't say that. Write the policy in a way that you can enforce it and that you will enforce it.